Professional Documents
Culture Documents
SECURITY
INCIDENTS 2021
Annual Report
JULY 2022
0
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
ABOUT ENISA
The European Union Agency for Cybersecurity (ENISA) has been working to make Europe
cyber secure since 2004. ENISA works with the EU, its member states, the private sector and
Europe’s citizens to develop advice and recommendations on good practices in information
security. It assists EU member states in implementing relevant EU legislation and works to
improve the resilience of Europe’s critical information infrastructure and networks. ENISA
seeks to enhance existing expertise in EU member states by supporting the development of
cross-border communities committed to improving network and information security
throughout the EU. Since 2019 it has been drafting cybersecurity certification schemes. More
information about ENISA and its work can be found at www.enisa.europa.eu.
CONTACT
For technical queries about this paper, please email info@enisa.europa.eu.
For media enquiries about this paper, please email press@enisa.europa.eu.
AUTHORS
Apostolos Malatras, Edgars Taurins, Marnix Dekker
ACKNOWLEDGEMENTS
We are grateful for the review and input received from the experts in the ENISA Article 19
Expert Group which comprises experts from more than 30 national supervisory bodies (SBs)
in the EU, EFTA, EEA and EU candidate countries. The group is currently chaired by a
representative of RTR Austria.
LEGAL NOTICE
Please note that this publication represents the views and interpretations of ENISA, unless
stated otherwise. This publication should not be construed to be a legal action of ENISA or
ENISA bodies unless adopted pursuant to Regulation (EU) No 2019/881. This publication
does not necessarily represent the state-of-the-art and ENISA may update it from time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the
external sources including external websites referenced in this publication.
This publication is intended for information purposes only. It must be accessible free of
charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might
be made of the information contained in this publication.
COPYRIGHT NOTICE
© European Union Agency for Cybersecurity (ENISA), 2022
This publication is licenced under CC-BY 4.0 “Unless otherwise noted, the reuse of this
document is authorised under the Creative Commons Attribution 4.0 International (CC BY 4.0)
licence https://creativecommons.org/licenses/by/4.0/). This means that reuse is allowed,
provided that appropriate credit is given and any changes are indicated”.
1
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
TABLE OF CONTENTS
1. INTRODUCTION 6
1.1 SCOPE 6
1.3 CONTENT 6
1.4 DISCLAIMER 6
3. INCIDENT ANALYSIS 12
5. CONCLUSIONS 22
2
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
EXECUTIVE SUMMARY
The EU’s eIDAS regulation (EU Regulation 910/2014) sets rules for electronic identity schemes
and trust services in Europe, national eID schemes, cross-border interoperability and recognition. HIGHLIGHTS 2021
eIDAS was adopted in July 2014 and came into force in 2016. One of the goals of eIDAS is to
ensure that electronic signatures can have the same legal standing as traditional signatures and to
The number of notified
remove barriers to electronic commerce and all types of electronic transactions in the EU. The
incidents is steadily
eIDAS regulation aims to:
increasing.
• ensure that people and businesses can voluntarily use their own national electronic The number of incidents
identification schemes (eIDs) to access public services available online in other EU
countries. with minor and large
• create a European internal market for trust services by ensuring that they will work across impacts has increased.
borders and have the same legal status as their traditional paper-based equivalents.
As in previous years,
Article 19 of the eIDAS regulation sets out the security requirements for the trust service providers most reported incidents
(TSPs) and introduces mandatory reporting of security breaches for TSPs in the EU. The reporting concern qualified
obligation consists of three parts.
certificates.
• Trust service providers must notify security breaches that have a significant impact to the
national supervisory bodies. System failures account
for almost half of
• The national supervisory bodies must inform each other and ENISA if there are
breaches which have an impact across borders. incidents and have been
• Every year national supervisory bodies must send annual summary reports about the the dominant root cause
notified breaches to ENISA and the Commission. for the last five years of
incident reporting.
This report, the Annual Report Trust Services Security Incidents 2021, provides an aggregated
overview of the notified breaches for 2021, analysing root causes, statistics and trends. This
2021 witnessed an
report marks the sixth round of security incident reporting for the EU’s trust services sector.
increased in incidents
In this round of annual summary reporting a total of 27 EU countries and 3 EEA countries took caused by malicious
part. They reported a total of 46 incidents. actions (20%).
The key findings from the 2021 incident reports are summarised as follows.
The ratio of reported incidents concerning qualified trust services over non-qualified
ones remains high. In 2021, 80% of total incidents had an impact on qualified trust services
when compared with approximately 29% of incidents reported on non-qualified trust services.
Although non-qualified trust services are widely used, not much effort is made by operators on
related incident reporting. In most cases, notifications are performed by a TSP offering all types
of services (qualified and non-qualified), reporting an incident that has affected both their
qualified and non-qualified services.
3
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
It needs to be highlighted that in 2021 significant improvement in this particular area was
noted compared to 2020 when the observation was first made. This is a testament to the value
of the work on incident reporting and the relevant analysis, which had a direct positive impact
on the overall process.
Although non-qualified trust services are widely used by citizens and enterprises, it seems that
the respective trust services operators do not make much effort to report related incidents. In
most cases, the notification is done by a TSP that also offers qualified services reporting an
incident that has affected both their qualified and non-qualified services. Having said this,
compared to 2020, 2021 witnessed an improvement in this direction with 9 incidents affecting
solely non-qualified services being reported.
Approximately 66% (30 incidents) of the reported incidents were rated as minor,
showing stabilisation compared to 2020. No disastrous incidents were reported in 2021,
whereas a significant increase was observed for incidents with a large impact, which
quadrupled compared to 2020 and returned to 2018-2019 values. Furthermore, relative
stability in the number of minor incidents has been observed, indicating that the
incident reporting mechanism has become more familiar to the providers and they are
reporting more incidents regardless of their severity.
ENISA publishes detailed statistics about trust services security incidents in an online visual
tool, CIRAS Visual. This tool allows for custom analysis of trends and patterns 1.
Currently the European Commission, Member States and the European Parliament are
discussing policy changes. Last year the Commission proposed to integrate Article 19, the
1 See https://www.enisa.europa.eu/topics/incident-reporting/cybersecurity-incident-report-and-analysis-system-visual-
analysis/visual-tool
4
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
security requirements for TSPs into a revised NIS (Network and Information Security)
Directive. The goal of this Commission proposal, the NIS2 proposal, is to simplify EU
cybersecurity legislation and to ensure that there is a similar approach across the various
sectors, including the telecom sector and the trust services sector, which are currently
addressed under separate pieces of legislation. This year the Commission will also make a
proposal for a new eIDAS regulation.
ENISA will continue to support national supervisory bodies with the implementation of breach
reporting under Article 19 of eIDAS and to work towards making this process more efficient
and effective, yielding useful data for the supervising bodies, for the national authorities, as
well as for the trust service providers and the organisations relying on these trust services.
5
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
1. INTRODUCTION
Under Article 19 of the eIDAS Regulation 2, Trust Service Providers (TSPs) in the EU are
expected to notify the national supervisory bodies in their country about security incidents. On
an annual basis, the supervisory bodies send summaries of these incident reports to ENISA.
Subsequently, ENISA publishes an aggregated overview of the reported security incidents.
This document gives an aggregate overview of the security incident reports submitted by the
supervisory bodies during 2021. This annual report marks the sixth round of security incident
reporting in the EU’s trust services sector, covering security incidents during 2021.
SCOPE
This report covers incidents reported by authorities under Article 19 of the eIDAS regulation.
TARGET AUDIENCE
The audience for this report includes experts in national authorities and experts in the sector.
CONTENT
This document is structured as follows: in section 2, the policy context is briefly summarised
as is the underlying eIDAS reporting framework and an overview of the types of incidents
reported is provided using anonymised examples.
In Section 3, further elaboration of the reported incidents is given, by presenting the categories
of root causes and the detailed causes as well as the affected services. In section 4, the multi-
annual trends in incidents over the years 2016-2021 are highlighted. In Section 5, conclusions
and observations based on the available data are drawn.
DISCLAIMER
This document only contains aggregated and anonymised information about incidents and
does not include details about individual countries or individual trust service providers.
Detailed discussions about the reported security incidents take place in the ENISA Article 19
expert group, which is an informal group of experts from national supervisory bodies focusing
on the practical implementation of Article 19. The group is currently chaired by a
representative from RTR, the Austrian regulatory authority. ENISA acts as the secretariat and
supports the group with analysis, drafting, logistics, etc.
2
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification
and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, can be consulted
at https://eur-lex.europa.eu/eli/reg/2014/910/oj
6
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
In this section, we give an overview of the formats and procedures for the reporting of
incidents (breaches) under Article 19 of the eIDAS regulation.
1. Trust service providers notify their national supervisory bodies about security eIDAS Article 19
breaches that have significant impact. requires trust
2. The national supervisory bodies inform each other and ENISA if there is a cross- service providers in
border impact. the EU to 1)
3. The national supervisory bodies send annual summary reports about the notified assess risks, 2)
breaches to ENISA and the Commission. take appropriate
security measures
to mitigate security
breaches, and 3)
notify breaches to
national
supervisory bodies.
We briefly introduce the reporting template. The template starts with a ‘type’ selector and has
three parts:
1. Impact of the incident: which trust services are impacted and by how much.
2. Nature of the incident: what caused the incident.
3
See https://ciras.enisa.europa.eu/
7
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
3. Details about the incident: detailed information about the incident, a short description,
the types of services, the types of assets, the severity level etc.
Type A: Service outage (e.g. continuity, availability); for example, an outage caused
by a cable cut due to a mistake by the operator of an excavation machine used for
building a new road would be categorised as a type A incident.
Type D: Threat or vulnerability (e.g. discovery of crypto flaw), for instance, the
discovery of a cryptographic weakness would be categorised as a type D incident.
Type E: Impact on redundancy (e.g. failover or backup system), for example, the
breaking of one of two redundant submarine cables would be categorised as a type E
incident.
Depending on the type selected, some fields in the template are deactivated. For example, in
the case of a Type A incident the fields ‘threat severity factors’ and ‘severity of threat’ are not
active.
8
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
Incident example 1
Incident example 2
9
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
Incident example 3
Incident example 4
10
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
Incident example 5
11
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
3. INCIDENT ANALYSIS
The 2021 annual summary reporting by the 27 EU Member States and 3 EEA countries
participating in this process included 46 security incidents in total 4. This is the sixth round of
annual summary reporting since eIDAS came into force on the 1 July 2016.
Figure 1: Number of reported incidents from 2016 - 2021 under Article of the eIDAS regulation
There is a steady increase in the number of incidents reported which, over the years, leans
towards becoming linear. This suggests that TSPs are becoming more familiar with the
process.
• System failures continue to be the dominant root cause, accounting for almost half of
the total reported trust services incidents (47%, around 22 incidents). Typically,
system failures are due to either hardware failures or software bugs.
• Almost 31% of incidents were categorised as human errors.
• Around 20% of the incidents were flagged as malicious actions.
• Natural phenomena accounted for 2% of the reported incidents.
4
Note that one of the reported incidents was indicated as type D-Active threats or vulnerabilities and is not included in the
analysis.
12
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
We also keep track of third-party failures, i.e. when the incident really originated at a third
party. For 2021, 14 incidents out of 45 were flagged as third-party failures (31.11%), well
above the 14% of incidents flagged as third-party failures in 2020. This finding further
reinforces the need to consider supply chain issues when it comes to security as the
increasing expansion and complexity of modern supply chains affects more and more
services. Out of the 14 third-party failures reported in 2021, 10 were categorised as system
failures, 3 as human errors and 1 as natural phenomena (arguably a natural phenomenon
should not be not classified as third-party failure). Figure 3 provides the full picture.
DETAILED CAUSES
The two most common detailed causes of incidents were flaws in an organisation’s policy or
procedures and faulty software changes/updates, with each one accounting for 20% of the
incidents, followed by other undefined causes (20%) and software bugs (13%).
13
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
It is important to note that an incident is often not triggered by only one cause but can involve
multiple detailed causes (i.e. a chain of events). Interestingly, supply chain causes that were
first introduced in 2021 accounted for 6% of reported incidents, highlighting the increasing
threat caused by supply chains as underlined in the ENISA Threat Landscape for Supply
Chain 5 that was published in 2021.
The full breakdown of detailed causes 6 for reported incidents may be seen in Figure 4.
If we look back at the past years of reporting, we see a similar pattern: 83% of the reported
incidents had an impact on electronic signature services, while 29% affected electronic seals
and 20% affected timestamping services. In general, most incidents refer to electronic
signatures and this may be attributed to their widespread deployment and uptake in
comparison to electronic seals and timestamping services.
5
See https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
6
The remaining 5% refers to specific detailed causes such as ransomware (~2%), DDoS (~2%) and malware and viruses
(~2%).
14
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
For each incident we keep track of the underlying subservices affected. Most incidents have
an impact on the generation of signatures/seals/timestamps (65.22% up from 42% in 2020) or
certificate management (63.04% up from 47% in 2020) (see Figure 6). The impact on the
validation of subservices accounts for 15.22%. Once again, impact on multiple subservices
may be reported for incidents, hence the numbers in the figure account for more than 100%.
Finally, we also keep track of the underlying assets affected by incidents. In most cases, the
assets affected are the platform for the generation and validation of signatures/seals (42%)
15
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
and the Certification Authority (CA) platform (33%). It is interesting to note that in 20% of the
reported incidents, the affected asset involved the registration authority’s platform and in 18%
of the cases the network platform. The dispersion of affected assets calls for a holistic
approach when it comes to the security of trust services, taking into account assets from
across the entire lifecycle and supply chain. See the impact on technical assets in Figure 7.
Figure 8: Breakdown of technical causes per affected asset – TSP security incidents 2021
By delving more into the affected technical assets, one can ascertain noteworthy differences
with regard to the corresponding technical causes (see Figure 8). In the case of the platform
for the generation and validation of signatures or seals, 36% of the incidents report flaws in
policies and procedures as the root cause and 21% software bugs. Conversely, in the case of
the Certification Authority’s platform, the two main root causes are flaws in processes or
procedures (46%) and faulty software updates (20%).
The registration platform incidents have an overwhelming 88% of flaws in policies and
procedures as their root cause, followed by 11% due to theft of data and 11% due to hardware
failures, whereas the network platform has 25% hardware failures, 25% faulty software
changes and 12% of ransomware, as well as a 12% of DDoS attacks as root causes. This
breakdown is extremely important in order to understand where emphasis should be prioritised
when it comes to targeted security controls in the various technical assets of TSPs.
16
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
Note that, in most cases, the TSP notifying an incident is also offering qualified services and
that in most cases the impact on non-qualified services is reported as part of an incident report
for a qualified trust service (hence the numbers adding up to more than 100%). This suggests
that there is a gap in the reporting and that, while Article 19 is also concerned with non-
qualified services, only the TSPs offering qualified trust services are reporting incidents, and
mostly do so concerning incidents that impact qualified services.
17
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
ENISA has been collecting and aggregating incident reports on trust services since 2016. In
this section, we look at multi-annual trends over the last six years, covering the period from
2016 to 2021. The total dataset contains 150 reported incidents.
Note that we observe the same pattern in electronic communication services 7, where system
failures account for almost two thirds (65%) of total incidents (926 out of 1432 incidents). In
the trust services sector, natural phenomena are not a common root cause. In comparison, the
telecom sector is quite different because it has extensive over-the-ground IT infrastructure
which is vulnerable to natural phenomena such as storms. Accordingly, in the case of natural
phenomena as a root cause, consistently low figures are being reported with a peak of 5.6% in
2018 and just 2.2 % being reported in 2021.
Figure 10: Root cause categories – Trust services security incidents in the EU (reported over
2016-2021)
Moreover, incidents concerning human errors are being reported at an increasing rate, with
28.1% in 2019, 38.9% in 2020 and 31.1% in 2021. Malicious actions vary over the years, with
the peak observed during 2018 (38.9%) and a value as low as 5.6% during 2020. During
2021, malicious actions were the root cause for 20% of the reported incidents.
7
See https://www.enisa.europa.eu/topics/incident-reporting/for-telcos
18
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
Figure 11: Nature of reported incidents – Trust services security incidents in the EU (reported
over 2016-2021)
In particular for the incidents reported under the malicious actions category, the most common
detailed causes over the years as shown in Figure 12 were policy/procedure flaws (34%),
theft/loss of data (17%), theft/ loss of equipment (13%), malware (13%) and DDoS attacks
(13%).
It is interesting to contrast these findings with the latest version of the ENISA Threat
Landscape 8 and the identified prime threats (threats against data, malware, threats against
availability, non-malicious threats, etc.). Despite the low number of incidents reported in the
field of trust services, there is an alignment with the findings of the ENISA Threat Landscape,
which illustrates the representative nature of the reports of trust services security incidents.
Figure 12: Detailed technical causes – Trust services security incidents in the EU (reported
over 2016-2021)
88
See https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021
19
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
While comparing the statistics for severity since 2016 (Figure 13), it is quite clear that the
number of incidents with a large impact increased significantly over the course of 2021
compared to the drop that was observed in 2020. It seems that the drop that was observed in
2020 was an outlier, and about 23% of incidents every year are reported as having a large
impact. It is interesting to see that there has been a rather linear increase in minor incidents
over the course of the last few years.
This is again an indication that the incident reporting mechanism has become more familiar to
trust services providers and also more effective; providers are reporting more incidents
regardless of their severity. In contrast to 2018, there were no very large (i.e. disastrous)
incidents during 2019 and 2021 (and only 1 such incident was reported in 2020).
Figure 13: Severity of impact – Trust services security incidents in the EU (reported over
2016-2021)
9
See http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=53646
20
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
Figure 14: Impact on services – Trust services security incidents in the EU (reported over
2016-2021)
Electronic seals and electronic timestamps are respectively the second and third most affected
services, whereas it is interesting to note the consistently low values for web certificates and
electronic delivery services. The reason for the low number of reported incidents in the latter
two categories require further attention in order to investigate whether this is due to reduced
use of the services, better security provisions or lack of maturity in the reporting of such
incidents.
21
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
5. CONCLUSIONS
• A steady lower level of severity confirms that TSPs are becoming more familiar with
the incident reporting process and that they are reporting more incidents, even if they
are less severe.
• Qualified trust services versus non-qualified trust services: the ratio of reported
incidents concerning qualified trust services over non-qualified ones remains high. In
2021, 80% of total incidents had an impact on qualified trust services when compared
with approximately 29% of incidents reported as having impacted non-qualified trust
services. Although non-qualified trust services are widely used, not much effort is
made by operators on related incident reporting. In most cases, notifications are
performed by a TSP offering all types of services (qualified and non-qualified)
reporting an incident that has affected both their qualified and non-qualified services.
It needs to be highlighted that in 2021 significant improvements in this particular area
were noted compared to 2020 when the observation was first made. This is a
testament to the value of the work on incident reporting and related analysis, which
had a direct positive impact on the overall process.
• System failures (47%) remain the dominant root cause and the second most
dominant are human errors at 31%. A notable increase in malicious actions (20%)
was observed in 2021.
• Root causes for malicious actions are consistent with the findings of the 2021
ENISA Threat Landscape. Despite the relatively low number of incidents reported in
the field of trust services, there is an alignment with the findings of the ENISA Threat
Landscape which illustrates the representative nature of reporting on security
incidents relating to trust services.
22
TRUST SERVICES SECURITY INCIDENTS 2021
JULY 2022
the NIS Directive and there was a political agreement on the text in May 2022. Both
policy proposals are expected to deliver important improvements. These policy
changes present an opportunity to address some of the gaps in policy, for example,
the issue of supervision of and reporting by the providers of non-qualified services.
We look forward to supporting the Commission and the EU Member States with
implementing eIDAS security incident reporting in an efficient and effective manner
and contributing to consolidated incident reporting under NIS2.
23
ABOUT ENIS A
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to
achieving a high common level of cybersecurity across Europe. Established in 2004 and
strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity
contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and
processes with cybersecurity certification schemes, cooperates with Member States and EU
bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge
sharing, capacity building and awareness raising, the Agency works together with its key
stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s
infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure. More
information about ENISA and its work can be found here: www.enisa.europa.eu.
TP-AK-22-001-EN-N
ISBN 978-92-9204-581-4
ISSN 2599-9435
DOI: 10.2824/16330